Re: [PATCH] mtd: fix possible integer overflow in erase_xfer()

From: Miquel Raynal
Date: Thu Jun 19 2025 - 13:15:12 EST

Next message: Miquel Raynal: "Re: [PATCH v1] mtd: nand: brcmnand: replace manual string choices with standard helpers"
Previous message: Chen-Yu Tsai: "[PATCH 1/2] dt-bindings: reset: sun55i-a523-r-ccu: Add missing PPU0 reset"
In reply to: Ivan Stepchenko: "[PATCH] mtd: fix possible integer overflow in erase_xfer()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 19 Jun 2025 17:53:13 +0300, Ivan Stepchenko wrote:
> The expression '1 << EraseUnitSize' is evaluated in int, which causes
> a negative result when shifting by 31 - the upper bound of the valid
> range [10, 31], enforced by scan_header(). This leads to incorrect
> extension when storing the result in 'erase->len' (uint64_t), producing
> a large unexpected value.
>
> Found by Linux Verification Center (linuxtesting.org) with Svace.
>
> [...]

Applied to mtd/next, thanks!

[1/1] mtd: fix possible integer overflow in erase_xfer()
commit: 9358bdb9f9f54d94ceafc650deffefd737d19fdd

Patche(s) should be available on mtd/linux.git and will be
part of the next PR (provided that no robot complains by then).

Kind regards,
Miquèl

Next message: Miquel Raynal: "Re: [PATCH v1] mtd: nand: brcmnand: replace manual string choices with standard helpers"
Previous message: Chen-Yu Tsai: "[PATCH 1/2] dt-bindings: reset: sun55i-a523-r-ccu: Add missing PPU0 reset"
In reply to: Ivan Stepchenko: "[PATCH] mtd: fix possible integer overflow in erase_xfer()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]